Subnetting

L

Lord of Shadows

2[H]4U
Joined
Mar 9, 2004
Messages
3,322
Alright, just got my little free fon wifi router and I want to do my part and host the hotspot for a year while keeping my network secure. I want people to access the internet through the public wifi, but not have the ability to host any servers or see my local network.

So I have my dsl wifi router and the fon router. Right now I've setup my static ip's so there are two subnets:
mask: 255.192.0.0
my network is on: 10.64.x.x
fon will live on: 10.128.x.x

I'm confused as to what to do with the dsl routers ip as it must act as a gateway for both segments, but only has a single ip address. (Maybe I'm just going about this the wrong way?) Am I correct in assuming that my network would be hidden by the segmentation alone?
 
Dude, you need to read the fon forums... this has been a question that people have asked their security team since they first came out. The fon network is apparently on a separate VLAN'd segment in their device that they send you(or if you reflash).

If you're router has multiple LAN interfaces(from the looks of it, that's how you have it set up) that can be addressed like that, you're absolutely fine as you are both physically and logically segmented. If you're extra paranoid, throw a firewall inbetween the fon AP and your DSL box. Call it a day.
 
I'm more interested in getting my network sucessfully segmented than the actualy security part of things. ;o)

If it helps my router is a 2wire 1701HG, how do I use it to merge these two subnets? All I can find on the net is subnetting tutorials and basic stuff, what do I actually do to put these two subnets together.
 
Lord of Shadows said:
I'm more interested in getting my network sucessfully segmented than the actualy security part of things. ;o)

If it helps my router is a 2wire 1701HG, how do I use it to merge these two subnets? All I can find on the net is subnetting tutorials and basic stuff, what do I actually do to put these two subnets together.
Click to expand...

Well Im off to work this morning so Ill respond as quick as I can. If your modem can have multiple LAN addresses and assign those per port then you can do exactly what you want to with nothing more than addressing ports. If it can do tagging then you can also do that as well, you just need a switch or be able to assign more than one port of that router/AP/switch that you have to the specific VLAN with the tag.

If it can't do that, get another firewall/router(the cheapest) and hook it into an available port. This will create a new physical and logical segment off your LAN that is completely firewalled as long as you hook it into the WAN port on the router/firewall(or red interface).
 
I dont think I can give it an ip based on whichever ethernet port it happens to be connected to, (Too cheap of a router) but could you go through 'tagging' in a little more detail just for theory purposes. (as I'm sure my router is too cheap for this feature as well)

I do have another 2wire router and I think I may be able to do it like you say if I can figure out how to set it up so it gains connectivity through the ethernet port instead of ppoe, but that seems kind of redundant. ;o) -- It will serve my purposes though.
 
Lord of Shadows said:
I dont think I can give it an ip based on whichever ethernet port it happens to be connected to, (Too cheap of a router) but could you go through 'tagging' in a little more detail just for theory purposes. (as I'm sure my router is too cheap for this feature as well)

I do have another 2wire router and I think I may be able to do it like you say if I can figure out how to set it up so it gains connectivity through the ethernet port instead of ppoe, but that seems kind of redundant. ;o) -- It will serve my purposes though.
Click to expand...

A VLAN tag is an addition or extension to an Ethernet frame that signifies which specific VLAN the frame belongs to, its just an identifier. When you have a tag set a router it knows exactly where to deliver the frame assuming you were using multi-interfaces or subinterfaces and they're also tagged with the same VLAN tag. If your router can't do tagging then go the other route with multiple routers nested.

Code: 
                                            ---- Secure LAN
Internet-------modem------router------ LAN PORTS
                                            -----router B-------- FON(untrusted)
 
You must log in or register to reply here.
Back
Top